Table of Contents
Fetching ...

Text is All You Need for Vision-Language Model Jailbreaking

Yihang Chen, Zhao Xu, Youyuan Jiang, Tianle Zheng, Cho-Jui Hsieh

TL;DR

This work reveals a critical OCR-based vulnerability in LVLMs by introducing Text-DJ, a black-box, model-agnostic jailbreak that converts harmful prompts into text-in-image prompts and presents them in a multi-image grid. The method decomposes harmful queries into semantically related sub-queries, pairs them with semantically irrelevant distraction queries, and leverages cross-modal processing to bypass text-based safety guards. Across open- and closed-source LVLMs and under guard-model defenses, Text-DJ achieves higher attack success than prior approaches and demonstrates the need for OCR-aware defenses. The findings underscore the risk of fragmented multimodal prompts and motivate the development of robust cross-modal safety mechanisms for OCR components.

Abstract

Large Vision-Language Models (LVLMs) are increasingly equipped with robust safety safeguards to prevent responses to harmful or disallowed prompts. However, these defenses often focus on analyzing explicit textual inputs or relevant visual scenes. In this work, we introduce Text-DJ, a novel jailbreak attack that bypasses these safeguards by exploiting the model's Optical Character Recognition (OCR) capability. Our methodology consists of three stages. First, we decompose a single harmful query into multiple and semantically related but more benign sub-queries. Second, we pick a set of distraction queries that are maximally irrelevant to the harmful query. Third, we present all decomposed sub-queries and distraction queries to the LVLM simultaneously as a grid of images, with the position of the sub-queries being middle within the grid. We demonstrate that this method successfully circumvents the safety alignment of state-of-the-art LVLMs. We argue this attack succeeds by (1) converting text-based prompts into images, bypassing standard text-based filters, and (2) inducing distractions, where the model's safety protocols fail to link the scattered sub-queries within a high number of irrelevant queries. Overall, our findings expose a critical vulnerability in LVLMs' OCR capabilities that are not robust to dispersed, multi-image adversarial inputs, highlighting the need for defenses for fragmented multimodal inputs.

Text is All You Need for Vision-Language Model Jailbreaking

TL;DR

This work reveals a critical OCR-based vulnerability in LVLMs by introducing Text-DJ, a black-box, model-agnostic jailbreak that converts harmful prompts into text-in-image prompts and presents them in a multi-image grid. The method decomposes harmful queries into semantically related sub-queries, pairs them with semantically irrelevant distraction queries, and leverages cross-modal processing to bypass text-based safety guards. Across open- and closed-source LVLMs and under guard-model defenses, Text-DJ achieves higher attack success than prior approaches and demonstrates the need for OCR-aware defenses. The findings underscore the risk of fragmented multimodal prompts and motivate the development of robust cross-modal safety mechanisms for OCR components.

Abstract

Large Vision-Language Models (LVLMs) are increasingly equipped with robust safety safeguards to prevent responses to harmful or disallowed prompts. However, these defenses often focus on analyzing explicit textual inputs or relevant visual scenes. In this work, we introduce Text-DJ, a novel jailbreak attack that bypasses these safeguards by exploiting the model's Optical Character Recognition (OCR) capability. Our methodology consists of three stages. First, we decompose a single harmful query into multiple and semantically related but more benign sub-queries. Second, we pick a set of distraction queries that are maximally irrelevant to the harmful query. Third, we present all decomposed sub-queries and distraction queries to the LVLM simultaneously as a grid of images, with the position of the sub-queries being middle within the grid. We demonstrate that this method successfully circumvents the safety alignment of state-of-the-art LVLMs. We argue this attack succeeds by (1) converting text-based prompts into images, bypassing standard text-based filters, and (2) inducing distractions, where the model's safety protocols fail to link the scattered sub-queries within a high number of irrelevant queries. Overall, our findings expose a critical vulnerability in LVLMs' OCR capabilities that are not robust to dispersed, multi-image adversarial inputs, highlighting the need for defenses for fragmented multimodal inputs.
Paper Structure (52 sections, 3 equations, 11 figures, 14 tables, 1 algorithm)

This paper contains 52 sections, 3 equations, 11 figures, 14 tables, 1 algorithm.

Figures (11)

  • Figure 1: Text-DJ pipeline illustration.
  • Figure 2: TiI procedure illustration.
  • Figure 3: Ablation of ${\rm TiI}(\cdot)$ procedure. Comparing the cross-modal attack (with ${\rm TiI}(\cdot)$) against a text-only variant.
  • Figure 4: Ablation of distraction queries. Comparing most unrelated or random query.
  • Figure 5: Ablation of embedding strategy. We compare using sentence embeddings versus image embeddings to select distraction queries in our attack.
  • ...and 6 more figures